Who's on Tor? Dissent, bots or porn?

Researchers who found a vulnerability in the protocols used in the Tor anonymous Internet service used it to survey the traffic on the network. They found that "…while the content of Tor hidden services is rather varied, the most popular hidden services are related to botnets."

I don't know what the designers of Tor, a network and software used to facilitate anonymous Internet use, really intended when they built it. The PR answer is that they were promoting free speech, but if they were really creating a platform for concealing criminal activity they would have gone about it the same way.

Tor is one of those Internet services, like BitTorrent, which is designed to live on without any central administration at all. This enhances — so the theory goes anyway — the anonymity, security and resilience of the network. There's no site for the government or anyone else to shut down that will bring down Tor, nor would it be easy — again, so the theory goes — for the government or any other party to determine who is doing what on Tor.

It's not clear to me if the same vulnerabilities were involved, but earlier this year researchers at the University of Luxembourg (Alex Biryukov, Ivan Pustogarov and Ralf-Philipp Weinmann) found some in Tor, both in the protocol and the implementations, which allowed for mapping of Tor "hidden services".

They presented their paper on the flaws to the IEEE Symposium on Security and Privacy in May, showing that "…attacks to deanonymize hidden services at a large scale are practically possible with only a moderate amount of resources."

The flaws were quickly fixed in Tor, but before that Biryukov, Pustogarov and Weinmann used them to do a survey of hidden services on Tor; specifically they categorized the HTTP/HTTPS services and determined the popularity of each. They presented the results of this research in another paper.

Of the sites they studied (see below for more on which they studied and why), they found 18 categories of content:

There are many legit content topics on Tor, but they're not the most popular ones. Source: Alex Biryukov, Ivan Pustogarov and Ralf-Philipp Weinmann, Content and popularity analysis of Tor hidden services

The overall selection of content topics is actually pretty broad. But 44% of the sites are related to drugs, adult content, counterfeit (selling counterfeit products, stolen credit card numbers, hacked accounts, etc. The Services pages include some which offer money laundering, escrow services, and hiring a killer or a thief.

Further analysis showed that the high-traffic sites are dominated by what appear (based on behavior) to be botnet command and control. Adult sites are also heavily represented among the more popular sites. When you get down to the less-sleazy traffic, it's a small percentage of the total.

There are some potential weaknesses in the study. For instance, the researchers didn't read every service on Tor, just those which met certain technical criteria which allowed them to connect over HTTP/HTTPS. It's not clear if this affects the randomness of the study with respect to content type. Of these, they only looked at services which offered English language pages, and of those they discarded a large chunk which showed the default page of the Torhost.onion3 free anonymous hosting service. That left 1,813 "onion addresses" as they are known in Tor. On these they ran software to classify the content, and the accuracy of the study depends on how well the software works.

So what does this say about Tor? Arguably nothing. If you take the position that free speech is good and Tor facilitates that, and therefore it's worth the side-effect of Tor also facilitating criminal activity, then Tor is honorable. I'm not so sure. There are other ways to communicate anonymously. But Tor is with us and the only thing that would stop it is a design flaw so bad that users wouldn't use it anymore.